Development View on Application Security

As ties between application developers and security professionals grow closer than ever through the shift to DevOps and continuous testing, developers are increasingly tasked with more hands-on security testing and mitigation work. The information contains information for developers seeking to improve their security game.

Explore Statistics Below

REMEDIATION

REMEDIATION

TESTING

TESTING

APP DEVELOPMENT

APP DEVELOPMENT

DOWNLOAD REPORT

Getting to Remediation

The goal of security testing is to put the right tools in the hands of security and development teams so they can fix flaws as efficiently as possible.

54%

VOLUME 7

51%

VOLUME 6

STATE OF SECURITY SOFTWARE VOLUME

Average Fix Rates of Vulnerabilities

Fix rate of vulnerabilities discovered in the first scan compared to those revealed in the last scan was about 54%.

By what percent does the fix rate improve when sandbox testing is used?

CORRECT!

The measurable effects of this kind of testing are undeniable. Even just a single sandbox scan improved an organization's software fix rate almost two-fold.

INCORRECT!

The measurable effects of this kind of testing are undeniable. Even just a single sandbox scan improved an organization's software fix rate almost two-fold.

Importance of Sandbox Testing

Veracode also offers the capability for developers to test in a sandbox mode that gives them a chance to perform regular assessments that are effectively 'off-the-record.' This gives developers the freedom to test and improve code incrementally without anyone breathing down their necks about poor early results.

FIX RATE EFFECTS OF SANDBOX TESTING

30%

Avg. fix rate with no sandbox scans

59%

Avg. fix rate with 1+ sandbox scans

Flaw Density

On average, flaw density is typically almost cut in half between the first assessment and the final reassessment at any given organization.

67
36
Flaws/MB
First assessment
Reassessment
REMEDIATION COACHING

There are several practices that can greatly improve flaw density metrics during remediation. For example, remediation coaching improves flaw density reduction by about 1.45x.

% reduction
Latest scan
First scan

No Readout

43.6%

38.66

68.55

Readout

63.5%

21.74

59.57

eLEARNING & DEVELOPER TRAINING

Even more dramatic, eLearning and developer training go even further, giving organizations six times better flaw density reduction metrics.

% difference
Latest scan
First scan

No eLearning Sub

9.1%

42.01

46.23

eLearning Sub

55%

30.64

68.06

Impact DevOps & Continuous Testing

The majority of applications today just get the bare number of rescans necessary to get them into policy compliance.

Policy Reassessment

About 9% of applications get more than 15 policy scans within an 18-month period. But the telling thing was that on the upper range there were some organizations doing as many as 776 policy scans during that same time period--about 1.4 official scans per day. And when accounting for scans in sandbox mode, that grew to as many 6 scans per day.

40%
51%
9%
Rate of policy reassessment in 18-month period
Only one scan
2-15 scans
15+ scans

Test Your Knowledge

The ability to frequently test applications is going to be crucial to the success of secure development initiatives at companies with continuous development and deployment models like those found in DevOps environments.

INCORRECT!

While the average scan per app is 7, there are some good signs popping up that DevOps and continuous testing practices are starting to creep into organizations. About 9% of apps get more than 15 policy scans in an 18-month period, there were some organizations doing as many as 776 policy scans in the same time period.

Developer practices are changing

Suggestions certain organizations are moving toward DevOps and continuous delivery patterns

CORRECT!

While the average scan per app is 7, there are some good signs popping up that DevOps and continuous testing practices are starting to creep into organizations. About 9% of apps get more than 15 policy scans in an 18-month period, there were some organizations doing as many as 776 policy scans in the same time period.

Developer practices are changing

Suggestions certain organizations are moving toward DevOps and continuous delivery patterns

Application Development Landscape

These data points provide a valuable glimpse into today’s preferences for programming languages in the enterprise, along with breakdowns on how prone certain languages are to security imperfections.

PROGRAMMING LANGUAGES

Programming languages choice has shifted over the past several years. Many of the changes are subtle, but they do provide some visibility into overall changes occurring in enterprise development landscape.

Volume 7
Volume 6
Volume 5

Java

42.6%

44%

50%

Volume 7
Volume 6
Volume 5

.NET

26.6%

27%

37%

Volume 7
Volume 6
Volume 5

Android

4.1%

3%

3%

Volume 7
Volume 6
Volume 5

Classic ASP

1.1%

3%

n/a

Volume 7
Volume 6
Volume 5

ColdFusion

1.5%

2%

3%

Volume 7
Volume 6
Volume 5

JavaScript

3.3%

<1%

n/a

Volume 7
Volume 6
Volume 5

All Other

2.3%

<1%

n/a

Java

42.6%

44%

50%

.NET

26.6%

27%

37%

C/C++

7.3%

4%

9%

PHP

4.5%

4%

8%

C/C++

7.3%

4%

9%

PHP

4.5%

4%

8%

PHP

4.5%

4%

8%

C/C++

7.3%

4%

9%

PHP

4.5%

4%

8%

C/C++

7.3%

4%

9%

VULNERABILITY TYPES

Over the last three years, the relative ranks for these languages have remained largely unchanged but there are some new entrants into the field and they're becoming statistically significant fairly quickly.

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

.NET

51%

37%

67%

28%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

Android

2%

39%

91%

40%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

Classic ASP

85%

68%

27%

34%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

C/C++

8%

9%

58%

18%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

COBOL

3%

8%

8%

18%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

ColdFusion

84%

59%

2%

1%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

iOS

0%

1%

82%

69%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

Java

58%

35%

65%

55%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

JavaScript

35%

10%

20%

20%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

PHP

87%

53%

80%

66%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

Ruby on Rails

45%

55%

20%

0%

Cross-site scripting
SQL injection
Cryptographic issues
Credentials management

VB6

10%

40%

45%

68%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

.NET

42.6%

44%

50%

50%

POLICY COMPLIANCE

Software programmed in web scripting languages tend to struggle to meet OWASP standards.

% Pass OWASP
% Fail OWASP

Java

61.3%

38.7%

% Pass OWASP
% Fail OWASP

.NET

61.9%

38.1%

% Pass OWASP
% Fail OWASP

C/C++

87.9%

12.1%

% Pass OWASP
% Fail OWASP

PHP

32.5%

67.5%

% Pass OWASP
% Fail OWASP

iOS

64.4%

35.6%

% Pass OWASP
% Fail OWASP

Android

64.2%

35.8%

% Pass OWASP
% Fail OWASP

Classic ASP

41.9%

58.1%

% Pass OWASP
% Fail OWASP

ColdFusion

37.5%

62.5%

% Pass OWASP
% Fail OWASP

JavaScript

40.5%

59.5%

Java

42.6%

44%

50%

.NET

26.6%

27%

37%

C/C++

7.3%

4%

9%

PHP

4.5%

4%

8%

C/C++

7.3%

4%

9%

PHP

4.5%

4%

8%

PHP

4.5%

4%

8%

C/C++

7.3%

4%

9%

PHP

4.5%

4%

8%

C/C++

7.3%

4%

9%

WHAT DOES ALL OF THIS MEAN?

As application security increasingly becomes non-negotiable for upper level managers, more and more developers are going to be measured and judged not just by features and timetables but also how securely they code their software. The observations provided in this report can provide some excellent fodder to help developers at every level look for ways to up their AppSec game.

Download Report
Download SoSS Report

 SHARE THIS 

REMEDIATION

REMEDIATION

TESTING

TESTING

APP DEVELOPMENT

APP DEVELOPMENT

DOWNLOAD REPORT

DOWNLOAD REPORT